Homomorphic Encryption: Introduction to Bootstrapping Operations Using CKKS as an Example (Irregularly Updated)

The bootstrapping operation of homomorphic encryption was first proposed by Gentry in his doctoral dissertation, and it is a key step to realize the conversion between hierarchical homomorphic encryption and fully homomorphic encryption. All the current bootstrapping work is based on Gentry's idea, and there is no one better.

This blog is going to talk about the principle of Bootstrapping, and at the same time look at how Bootstrapping is implemented in CKKS.

In order to understand the principle of Bootstrapping, we first look at a story.

story

Alice is a senior jewelry craftsman, she also manages a jewelry store, and a certain smart young man Bob is her apprentice.

As the saying goes, the apprentice of the church will starve the master to death. Alice does not want Bob to see what the semi-finished product looks like after each step of jewelry processing is executed, because if Bob sees the middleware in each step of the processing process, he can realize the whole process of processing, and then he can do it alone. Roll yourself to death with efficiency and age.

If you don't believe it, you can ask another person to draw a word on your back, and compare the whole process of seeing the drawn word with that of only relying on the sense of touch, and how likely it is to recognize what the word is.

But two people always produce more than one. Alice was reluctant to drive away such a useful labor force.

Alice's core requirement: to allow Bob to process jewelry embryos without seeing them.

Alice invented a glove box one day, just like the one in the picture below:

I saw this glove box:

It was pitch black, and it was impossible to see what was inside from the outside. There are two doors, one door is locked, and after unlocking, you can take things out or put things in; the other door is one-way, you can throw anything into it, but you can't get it out.

So Alice gave the glove box to Bob and asked him to do jewelry processing. Specifically, Alice will throw the jewelry blank into the glove box every time, and let Bob process it according to the curing process. After the processing is finished, Alice unlocks the glove box and takes out the finished product.

After going on like this for a while, Alice found that Bob’s work efficiency was not enough through the glove box, and due to the design of the glove box itself, some errors would be introduced in each step of the processing process. Correspondingly, in a glove box Jewelry processing in the glove box can only be processed at most L times, otherwise, after the error accumulates enough, the jewelry in the glove box will be processed and discarded and become a defective product. Alice's temporary solution is to take out the middleware every few steps and refine it by herself, but this is too much trouble.

Until one day, Alice bought another glove box. In order to distinguish, the old glove box is called glove box A, and the newly purchased glove box is called glove box B.

Alice made copies of the keys to both glove boxes herself. Before starting work today, Alice put the blank in glove box A, and then put the key of glove box A in glove box B.

So, when Bob did several processing through the glove box A, he threw the whole glove box A into the glove box B. Use the key of A that has been placed in the glove box B to take out the semi-finished product in A, and continue processing in the glove box B.

Reality

This is where the story ends. Compared with the real world, it is obvious that jewelry blanks are private data, glove boxes are homomorphic encryption schemes, one-way doors mean public keys, and keys are private keys.

The glove box matryoshka operation here is actually bootstrapping.

Essentially, the operation of bootstrapping is to go through a process of decrypting encryption under the ciphertext.

General homomorphic encryption involves three things: encryption, operation, and decryption. It can be seen that whether the glove box story can be applied in reality depends largely on whether the encryption and decryption functions can be implemented in the case of encryption.

And this is not a simple matter.

Bootstrapping operation of CKKS scheme

The realization of the CKKS scheme is actually not exactly the same as Gentry's idea. No pair ss
is used in the CKKS scheme$Instead\; of\; the\; encryption\; result\; of\; s$ , it decodes and encodes once under the ciphertext.

First look at the main API and main principles of the CKKS solution. You can refer to it here , or see the picture below. Of course, there may be some places in these two articles that are unclear or even wrong, but the purpose of this article is not to introduce it rigorously, but to leave a general impression for everyone to better understand the original text.
For convenience, first put a main API of the CKKS solution:

Here we focus on the encoding and decoding of CKKS.

In my CKKS introduction article, I mentioned that the vector encoding inside needs to do an interpolation. Specifically, consider the original root $X_i$and the component $m_i$, after interpolation (encoding) generates a polynomial $p$，$p(x_i)=m_i$to determine $Coefficient\; of\; p$ .

We also mentioned that encoding and decoding can be performed in parallel using SIMD (Single Instruction Manipulation of Multiple Data). For example, the decoding operation can be written as:
$$m=Up$$
where$p$ is the polynomialppvector of coefficients of$p$$See$ the picture below. Accelerate matrix operations through parallel computing means (GPU/FPGA, etc.).

If you want to implement encoding, you only need to reverse this process.

Some preliminary knowledge in the CKKS Bootstrapping scheme

If you feel unclear about this part, you can skip to the next part first, directly grasp the context of Bootstrapping, and then come back to see the details according to the problems in the context.

First, analyze the method of CKKS decryption:
$$m=(c_0+c_{1}s)\mathrm{mod}q$$

There are two main steps here: one is to calculate $c_0+c_{1}s$ , one is to calculate$F(x)=xmodq$。

But this $F$ is a discontinuous periodic function. We want to make an approximation of it for fun.

We give a precondition: the plaintext polynomial mmscale and qqof coefficients in$m$$q$ is relatively small. In fact, this thing can be done, because you can decrypt it when there is enough multiplication depth left.

Therefore, we rewrite the decryption process according to the above prerequisites:
for a certain level llA ciphertext under$l$$(c_0,c_1)$ to decrypt:
$$t=(c_0+c_{1}s)\mathrm{mod}{Q}_l$$

Here, $t=qI+m$，其中 $|I|<K$，$K$ is a positive integer.

At this time, we can use the sine function (pan exponential function) to $F[t]=tmodq$ is approximated.

But because homomorphic encryption only supports addition and multiplication, Taylor expansion or Chebyshev expansion can be used.

In the CKKS scheme, it also involves the operation of matrix-vector multiplication in the case of ciphertext. Here we use a picture to represent the steps of a classic matrix-vector multiplication, using all the APIs of CKKS - vector addition, vector multiplication and relinearization, and rotation operations.

General logic introduction of CKKS Bootstrapping scheme

As shown in the picture.

It is divided into four parts: modulus promotion, decoding, sine approximation, and encoding. All done under ciphertext.

In the first step , we have a ciphertext $ct=(c_0,c_1)\mathrm{mod}{Q}_l$, the corresponding plaintext polynomial is $m(X)=(c_0+c_{1}s)modq$。

But if the decryption process does not mod $q$ (or modulo one much larger than$q$ number$Q_0$), remember $t(X)=(c_0+c_{1}s)mod{Q}_0$, here we have $t=qI+m$ . Part$I$ is a not too large integer. Then we have:
$$(c_0+c_{1}s)\mathrm{mod}{Q}_0=t\left(X\right)$$
is reflected in the ciphertext, which is$c_0,c_{1}mod{Q}_l$The modulus of is raised and rewritten as $c_0,c_{1}mod{Q}_0$up.
Note that here $Q_0$and $Q_l$are all qqmultiple of$q\; .$

In the execution of this step, we found that ( c 0 , c 1 ) (c_0, c_1) before and after the modulus promotion$(c_0,c_1)$ to decrypt:$m(X)=(c_0+c_{1}s)modq$ , in the end, you need to modulo$q$ 's. This means, ( c 0 , c 1 ) (c_0, c_1)before and after modulus promotion$(c_0,c_1)$ , corresponding to the same$m$。

After doing this step of modulus improvement, we can do a lot of multiplication again.

In the second step , we put the encrypted plaintext polynomial $t(X)=(c_0+c_{1}s)\mathrm{mod}{Q}_0$Do the decoding operation under the ciphertext. The meaning of decoding here is to put t ( X ) t(X)XXin$t$$($$X$$)$$X$ is brought in with the original root to get the decoded vector$tmod{Q}_0$, which can be realized by the matrix-vector multiplication mentioned above.

But due to the reversibility of "encoding" and "decoding", ttThe information contained in$t\; has\; not\; been\; eliminated.$

In the third step , we need to modify $tmod{Q}_0$Perform sine approximation under the ciphertext to get $t\mathrm{mod}q=m$ , get the real plaintext$m$ (because of the modulus,$m$ and$tmod{Q}_0$are fundamentally different).

Finally, go through the encoding process again under the ciphertext, put $t$ becomes$t\left(X\right)$ . So the Bootstrapping operation is complete.

There are some existing work to improve Bootstrapping, many of which are optimized on this basis.